I used to think electronic voting was the logical next step. But now, I think voting is too important to be left to electronics. It should be done on paper.
We trust billions of dollars every day to electronic banking, so why not a vote? Electronic banking comes with many types of federal guarantees to protect against fraud. The government can step in to investigate and prosecute the fraud as well. But there is no such guarantee for the voting to select the government itself!
But it takes so long to aggregate the votes if done with paper ballots. Precisely the point. Electronic voting allows scalable attacks where the number of weak points is dramatically reduced. It is very hard to scale attacks on paper ballots. You would need a coordinated effort in many voting stations to make it work as opposed to hacking a more central electronic system.
That is why I moved from thinking that electronic voting is the logical next step to thinking that we probably need to revert back to paper ballots.
Anyone interested in electronic voting, I would suggest reading the article: Internet Voting: A Requiem for the Dream in the last issue of Phrack. It was eye opening for me.
http://phrack.org/issues/69/11.html#article
Conclusion:
1. Internet voting is not compatible with democracy
2. No amount of technology can change this
3. Whom you voted for ought to be secret
4. Who voted should not be secret -- it should be known as widely
as possible
5. And who counts the votes, and how, certainly ought not be secret
Electronic voting != internet voting. Remote voting has irresolvable problems in regards to voter secrecy: you can't preserve that with remote voting, and it's indispensable to ensure you don't sell your vote.
But that is not synonym with electronic voting. You can go into a polling station and vote on machines; a well designed system shares all vital properties of paper systems while adding many useful features, including ways to reliably count votes algorithmically in an independently verifiable way (any citizen can do the math and check the results, and check that each person only voted once, even though they can't tell who voted for whom).
Don't say it's impossible, with a bit of ingenuity and a bit of mathematics it can be done. :P
It's impossible to have an electronically mediated voting system that both protects the secret ballot and ensures the public count. Because there is no digital equivalent to the one-way hash of dropping a ballot into a ballot box.
Chaum, Rivest, Pret a Whatever... Fine. Prove it. With a real world election (simulated). Burden of proof lies with the technophiles, not with the proud defenders of Democracy.
People used to say the same thing about digital currencies (think: Beenz.com https://en.wikipedia.org/wiki/Beenz.com ) - because digital information can be copied freely, therefore a digital currency would need a central arbiter and a distributed digital currency would be impossible. And then BitCoin and the blockchain happened.
To say Internet voting is impossible is to admit a failure of imagination and ingenuity - I'm confident that some novel application of cryptographic and distributed-computing techniques could come up with a secure system.
But I'm wary of how complicated it would necessarily be to the average voter, or even someone with an advanced knowledge of computing - concepts like hashing and the blockchain are almost impossible to correctly explain to a layperson, let alone do they have the way to be confident of the results themselves - it would immediately cast doubt on the system because you cannot trust something that you cannot understand.
If you were to actually build something like this, you would use blind signature. But having this toy example shows that the two concepts aren't exclusif.
All crypto schemes I studied rely on hash collisions. Meaning your ballot is hidden within a herd of ballots. This works for hypothetical elections where there are lots of voters and simple ballots.
Alas. Our actual elections are administered per precinct (say 0 - 1000 voters) and have complicated ballots (dozens of issues, races). Meaning your utterly unique ballot is unlikely to collide with any other cast ballot.
The blockchain-based schemes I briefly studied rely on fuzzing timestamps. A different kind of collision.
Here's the takeaway: Our elections administration is finely tuned to the Australian Ballot. Any new voting system has to specify the style of ballot, which circumstances are applicable, and how the laws, rules, and procedures will have to be modified to adopt it.
Did you even read the link I posted? It's a voting scheme which is anonymous and auditable. It can be turned into a usable system using blind signatures. Nowhere does it mention hash collisions.
There's a big difference between claiming there is no current technology to do this (which I agree with), and claiming it is impossible for there to ever be any in the future.
> Because there is no digital equivalent to the one-way hash of dropping a ballot into a ballot box.
This is equivalent to preventing double-spending in the blockchain analogy - a solved problem. There are already companies trying to exploit this to develop electronic-voting systems: https://followmyvote.com/.
I imagine it working like this:
1. Government announces an election. Registered voters are asked to submit the public addresses of their 'vote wallets'. The public addresses of the wallets are derived from the registered voter's public information (e.g. their name). This information need not be secret. The public blockchain would ensure that everyone who is registered received their votes to cast: the equivalent of receiving an empty ballot paper.
2. A Monero-like system (confession: I don't fully understand it yet) acting as a blackbox or Bitcoin-tumbler system then distributes empty-ballots from the public wallets into new private wallets that each registered-voter will have created in an anonymous fashion.
3. Registered voters then cast their votes by 'spending' their ballots (coins) by sending them to the public wallets of electoral candidates. These transactions may be cryptographically signed by a private key derived from the registered-voter's public wallet. This allows a voter to verify that their vote was correctly cast, without allowing others to see whom they actually voted for.
4. There is a problem in that the results of the election cannot be kept secret until the election is over, as the blockchain must be distributed publicly, so observers will see the votes going towards a particular candidate as-they-happen, which will necessarily change voters' votes in cases of tactical-voting; though possible solutions exist, such as having blockchain network nodes agree to only allow final vote transactions during a tiny time window of only a few seconds - or a Proof-of-Work system that will necessarily take more computation time to verify a vote was for a particular candidate the more in-advance of the polls-closing deadline the vote was made.
Because votes cannot be 'mined', and all originate from a single 'government wallet' it means that votes cannot be manufactured - as far as I can tell the only weakness is that false voter-registrations could exist and be used to cast votes, but then we have that situation with postal-voting now any way. If a tumbler approach is used to distribute ballots from public wallets to private wallets it's possible for participants to create more than one private wallet, and claim more ballots for themselves - but this can be detected by:
1. As part of step 1 above, voters create a private secret K.
2. Each voter then creates a hash of K, known as K'.
3. The blockchain would also contain a Bloom-filter, or equivalent implementation of a "Set contains a member" test that does not reveal the actual set contents. Then a strictly sequential process begins, where the Bloom-filter is publicly modified by each registered voter to add their own K' values - this necessarily means that the K' values of the first voters will be publicly known entirely, but as the table becomes more populated it will be impossible to fully know what the entire values of each K' value is. This can be mitigated by having the system create known 'sacrificial' / dummy voters to provide some initial protection for the first actual voters.
4. When the private wallets are created by each voter (in step 2 above) they must be tagged with the K values each voter created as Kp. A private wallet will only be able to participate in the ballot distribution process if the hash of its Kp value (Kp') appears in the Bloom filter populated in the previous step) - thus restricting each voter to only 1 private ballot wallet.
This has been solved, and it's really simple actually.
I wrote about it in another comment, but I'll quickly go over the technology here as well.
When a citizen votes, the vote is encrypted with the government public key. The vote is then put into a container and is signed with the citizens private key.
The vote gets sent to the voting-system servers and is then stored until counting day.
Once the voting period has ended the encrypted votes are pulled out of the signed containers and the signed containers themselves are destroyed, this anonymizes the votes. Only then are the encrypted votes decrypted with the government private key.
We keep the signed containers around the encrypted vote to make sure no-one can be forced to e-vote.
Every citizen can vote as many times as they want during the e-voting period and only the last vote counts.
So if someone is standing behind you and telling you to vote somehow, you can do as they say and just vote again afterwards.
As an extra backup, if you do cast your vote on paper as well, then the paper vote is counted and the e-vote is discarded.
The system has a prerequisite though, each citizen must have a private key. We do, as it's stored on our id-cards(equivalent to passports within the EU).
Procedures are in place to protect the Government private key during the voting period and just like with paper-voting observers are involved in every step of the process.
Their whole analysis is based on this claim: "claiming they could be able to breach the system, change votes and vote totals, and erase any evidence of their actions if they could install malware on the election servers."
That is true for all server based software.
Procedures have been set up to mitigate this risk. All software, servers and anything else running in the network is audited before, during and after the election. The whole process is public and anyone can become an observer, just like with paper ballots. There really are many eyeballs making sure the election servers are running the software they are supposed to.
AFAIK everything else they pointed out was purely procedural and the guidelines there have been updated. There really weren't any reproducible technical issues and some of the procedural ones are outright misrepresentations.
"""
Posted Wi-Fi credentials
— The official video
of the pre-election process reveals credentials for the election
officials’ Wi-Fi network, which are posted on the wall.
"""
The credentials were actually just for a separate public guest network, that has nothing to do with the "election officials network" or the network where the voting servers are.
or:
"""
Keystrokes reveal root passwords
— Videos
posted by officials during the election show operators typing,
inadvertently revealing root passwords for election servers.
"""
Although this was recognized as a possible attack vector and the procedures for filming have been updated, the "operator" typing a password was actually one of the observers typing a password in their own computer.
Obviously any hints to compromised processes are taken with 100% seriousness and if needed processes and guidelines are changed to protect the integrity of the system.
Any technical reports are also (publicly) analyzed and if an issue is indeed found, they're fixed. The thing is, "https://estoniaevoting.org" said everything is bad, and the system should not be used, but never published/provided any re-producible test-cases that could be verified.
OSCE has audited all of our elections, they've given some procedural pointers that have been implemented, but OSCE observers have not deemed our elections compromised.
We're having another parlamentary election in 2019 and again, the system will be improved for that(more verification methods are being implemented), but so far, all of our elections have been deemed acceptable and work is being done to keep the track record.
The Estonian method is too complex to be easily proved to be secure. You have to play a cat-and-mouse game ad infinitum to keep up its integrity. Simpler systems are less costly over the short and long term, and more secure by default.
Our internet voting system has solved this problem.
The votes secrecy is guaranteed by allowing citizens to vote multiple times and only the last vote is counted. No-one is obligated to vote on the internet and a paper system works in parallel. If you cast your vote on the internet AND with a paper ballot as well, the paper ballot is counted.
This guarantees no-one can be forced to vote, as they can simply vote again in the 7 day e-voting period.
Each vote is encrypted and signed, but in two different containers. The goverment public key is used to encrypt the vote. That container is then wrapped into another that is signed with the citizens private key. Before counting, the double-casts are filtered out and the votes are anonymized by removing the signed wrapper.
If you can vote online, and on paper, and the paper one always trumps the electronic one, then a fraudulent party would just fake the paper ballots and send them in for everyone in the country. Everyone who depended on the electronic vote would then no longer control their vote.
Look, I'm not going to say you are wrong, but... not every conversation needs to descend into ham-fisting bitcoins into it. Nowadays, it's like a Godwins' Law type thing, but instead of everything devolving into Nazis, now everything devolves into 'the blockchain will fix it'. I miss Dogecoin, at least they were in on the joke.
I get the crypto fatigue because I feel it as well, but it really does apply here. Trustless voting is one of the more interesting possible applications of blockchain tech, and if properly implemented it could very well do away with voter fraud.
Only by introducing hundreds of extra failure modes. If you implement this I can now destroy your democracy by:
- Bribing voters because you've implemented voting over the network
- Once you figure out you need to switch to voting booths I'll do timing attacks to deanonymize the vote
- As soon as you have a count I'll seed distrust in the count as only a very small percentage of the population actually understands the blockchain and cause a riot or two
Electronic voting is the reverse FizzBuzz. FizzBuzz tests if you know the absolute basics about technology to implement something extremely simple. Electronic voting tests if you are able to reject the use of technology when it doesn't add any advantage and instead creates very hard to solve failure modes. Voting benefits from the use of the extremely simple ballot and box. It benefits from it not being programmable and from the counting method being something that almost all the population is able to carry out let alone understand.
In case you haven't noticed, there are some other countries in this planet beside the United States :P. Voter fraud is a major problem in many developing countries, and electronic voting (if properly implemented) could help tremendously in making elections a great deal more transparent.
Ha, yeah I was going back and forth between adding "to the extent that it exists". Nonetheless, we can't predict whether fraud/hacking is something we'll need to really worry about in the future. If a good solution exists, we should strive for it I think.
Like I said, it isn't wrong, and I kinda agree. Democracy is awesome but slow, we know that. It's also old, and we may have better versions out there now, maybe a Git-Democracy thingy, where it's mostly automated and we have 'code comments' in the laws to help with the judges. I dunno.
That said, bit-coins and their ilk are obvious tulip bubbles now, their hope is gone under the greed. Yes, the ideas are interesting and may have applications that are unseen. But as communism was great in theory and genocides in practice (mostly), I think the relentless blockchain spam is missing the point as well: Theory ain't shit because humans are assholes. And no, the blockchain is not going to solve that too.
No, it's not going to solve people being assholes. But a shared, write-only and unalterable database of voting transactions created by pseudonymous entities could be an extremely useful tool if we really want to safeguard against this kind of thing.
Because of the rhetoric surrounding blockchain spam, it's easy to make the comparison to marxist theory. But I think it's really just a technology, not some grand scheme to alter our economic system. It's more realistic to simply say that it's a tool that could provide some very useful real world applications.
Look, I know, it's cool, and like, it has the potential to help. But trying to tech/math your way into a better democracy isn't very likely because people are assholes; you have to make incentives for the assholery to fight itself, it's not easy. Hofstader in Godel Escher Bach goes WAY into why that is from a math/physics/art/music point of view, you should read it (maybe you have already), it's like 6 bucks. https://www.amazon.com/gp/offer-listing/0465026567/ref=tmm_p...
I'm not confounding bitcoins with marxism and that mess of history. I'm just saying that there are things out there that were good in theory, but the applications of the theory are just plain terrible, marxism is a famous example of that.
>But trying to tech/math your way into a better democracy isn't very likely because people are assholes
That's ridiculous. So we can't do anything, whatsoever, to improve our society and our systems, because eh people are assholes or whatever? That's nonsense. Of course we can improve our systems, our laws, our government, and of course mathematics and technology can help. For example, our voting systems are woeful because they are holdovers from a time when nobody thought about these things from a mathematical point of view (and nobody still does: "let's just vote for people and let the person with the most votes win" sounds perfectly simple and correct for 99% of the population). But we can do much better, and it can objectively improve our democracy a whole lot.
Will applying mathematics and technology to democracy fundamentally change and transcend human nature? Duh, of course not, but nobody claimed it will. There's plenty between implementing an utopia and going nothing at all.
> So we can't do anything, whatsoever, to improve our society and our systems, because eh people are assholes or whatever?
Yes, that is correct. Also, me and Mr. Strawman could use some more hay, do you have any?
> ...and nobody still does...
This is what I'm talking about. Trying to force math/tech onto a democracy/republic where the voting population doesn't understand it cannot end well. The voter will be suspicious, and rightfully so, of the process if they do not understand it. This is especially true if there is any corruption in the system at all. Since we know men are not angels, then the vast majority of voters must have belief in the processes as we all know men do become devils. Democracy demands this faith to work. Yes, we can make the system mathematically better, but if that comes at the cost of the faith in democracy, then it's mute. Even with the system we have now, simple as it is, there is already a large lack of faith in it by a lot of the US, and this is already a threat to idea of self-determination.
But... if he's not wrong and it is actually relevant to the discussion why are you upset about it? Is he supposed to refrain from mentioning it because... it's been popular for the past few weeks and so you're tired of hearing about it?
I dunno. The constant barrage of: "BlockChains, but for Cancer!" just seems ... derivative now. Like the 'Uber, but for dogs' was this time last year. Everyone knows these hacker-coins are a scam, the last one with them looses their shirt. Yeah, the ideas are kinda cool, but, nah man. Like, from Mean Girls: "Gretchen, stop trying to make 'Fetch' happen, it's not gonna happen"
Wouldn't most current block-chains tie a rather fine (say 5-minute, accounting for drift) timestamp to each vote? So in small voting districts, if you had a way to know approximately when people voted, you could go a long way towards de-anonymizing votes (say, you managed to track someone's device, that they used for voting, or track their location, if using dedicated voting machines)?
I don't know if it would be inherit to making a secure voting system on a block-chain that you had such (unnecessary for voting) fine-grained timestamps, but just a thought.
>But it takes so long to aggregate the votes if done with paper ballots.
This one was alway wierd to me. Other countries always manage to count the votes in one night, and while the USA is very big, you'd think there would be that many more people counting the ballots available to make up for it. I guess it doesn't scale that easily.
Maybe the (low) number of voting locations is a problem?
Around here, it's recommended to have a polling location for every 800~1000 voter and a booth per ~300 voters.
When the polling location closes, staff (volunteers) start counting very publicly: anyone can watch and the procedure is legally specified such that overseers can trivially keep track and count of everything, the results are certified, displayed at the polling location and (if necessary e.g. for non-local elections) sent up to the next administrative division.
Unless there are improprieties, it doesn't take very long to count a thousand votes.
As a UK citizen, some of the voting practices I see in the US seem really mind-boggling:
- Not enough polling stations
- Long lines as the norm in many places
- Polling stations closing early -- I've seen 8pm
- Exit polls released before voting closes
I guess these are generally due to the US being a large country spanning several time zones, with low population density. But they seem fixable, especially if you care enough about the integrity of the vote to commit enough staff and money to the process.
Given the ridiculous amount of money that gets ploughed into campaigning in the US, it seems bizarre that you can't spare a fraction of that to improve the process. But it seems like what little money is available is captured by hucksters selling electronic voting machines.
(Not that the UK system is perfect! Our voting system is pretty bad. Both countries could really use PR.)
Yeah, the targeted voter suppression is terrifying (and apparently legal! But hopefully that can be remedied in the courts. The recent progress on gerrymandering seems promising.)
Anecdote: the small city I used to live in once scheduled polls on the same weekend night as three popular local sports events. Can any system work with arbitrarily rotten politicians?
Arguably, this is just another form of "legal" voter suppression.
An employer cannot legally fire a person for taking time off to vote, or to attend jury duty. That doesn't mean they don't, it just means they can't do so legally.
But if you are someone who depends on that job (such that you can't just go out and find another), losing that job because you voted is something you're going to weigh, and regardless of how you vote (though typically - at least historically, notwithstanding our last election - those on the lower-end of the economic scale vote for Democrats), you are more likely to want to keep your job to pay for rent and food, than to vote.
Furthermore, even if your principles matter more to you than your job, if you do get fired, you aren't likely to then go thru the process of taking your former employer to court for firing you (because that would mean more time and expense away from finding another job).
Heck - the employer may not even need to break any laws, just make implicit threats as to what will happen should an employee take time off without consent of the employer, while neglecting to tell the employee about their voting rights (and nobody reads those employee rights posters in the breakroom either). Even though such threats aren't arguably legal either, nobody is going to fight against them because again - that means loss of job and money to pay rent.
I feel like weekend voting would help for those who work "regular 9-5 jobs" but those who are young, and say still in college/university and working weekends, would now have a more difficult time voting. The weekend type jobs usually won't let you have time off to vote, they schedule you that time because they're busy, so it might be much more difficult for those people.
At least the weekday election day somewhat levels the playing field, at least as I see it.
I'd go beyond that even. The US loves pageantry and celebrating freedom. But what event could be more appropriate for a celebration of freedom than voting day itself?
You could have small festivals at every voting booth to encourage people to come out to vote, and you could even move the ballot boxes as part of a big parade so there's absolutely no doubt in the process.
Texas has early voting for about two weeks prior to poll day, which makes voting convenient. That said, the recent attempts at voter suppression and gerrymandering abuse are saddening.
It works very well. We also have a basically-no-questions-asked early voting for a couple of weeks. Nominally it's intended for if you're preoccupied (overseas, working, etc.) on voting day but in practice people use it to dodge the lines.
That said, we also have so many voting booths (I have never not been able to walk to my closest - usually only about 1km away) that the worst line I've ever waited in was probably 10 minutes.
Too few voting places, and voting days are not holidays (or on sundays) like in other countries. There are very obvious steps that could be taken to solve both counting time and voter turnout as well as suppression.
> There are very obvious steps that could be taken to solve both counting time and voter turnout as well as suppression.
But when the party in power counts on that low turnout due to suppression in order to remain in power, do you really think they will do anything about it during their time in power?
Vote count could also be optimised with machines. Each party can bring it's own OCR machine to count the votes. If there is a disagreement, fallback on humans.
The issue is with having a single machine that we have to trust end-to-end.
Even in this case you still have vulnerabilities in the two party's machines. Just because they have different interests doesn't mean that they'll apply strength to their machine's defenses, or even have the ability to stop the attacks on their machines assuming they were 100% committed to following correct procedure.
Do Diebold machines still cost 3k a pop[1]? You can get 3 high-end scanners at that price. And generally more than one Diebold would be deployed per location right?
Let's say the scanner costs $500 and there are 9999 locations. That's 50M of investment per party that can be re-used. It's a lot of money but it's an order of magnitude less than their campaign cost[2]
Why would it be mandatory? It's a way to let parties assure themselves that the votes were counted by a trustworthy method. If they're already satisfied that that's true, then nobody can conceivably benefit by having them bring their own machines.
Why wouldn't I be? They are just performing another count.
If one party brought machines to a poll place and managed to make trouble it is likely that the other party will show up too. Eventually it would just be part of the political landscape and the results would be better vetting all around.
> But it takes so long to aggregate the votes if done with paper ballots.
This is also why the complaints of government being slow to respond to things are hollow: It's meant to act that way.
Which is why Trump and his "Executive Orders" are problematic; that isn't to say they are problematic for previous administrations as well. At any rate, they exist for a certain purpose, but that freedom to use them has been abused pretty much from day one of their existence.
Arguably, they are there mainly for emergency purposes, when something needs to be done fairly quickly, but is something that would take too long to have done thru ordinary channels (Congress, etc). It was probably (wrongly) assumed that Presidents would be wise and restrictive about their use (completely ignoring how human nature works of course).
I only mention Trump because he jumped into using them almost before he was sworn in; but so far (from what I understand) he has yet to break any records for usage of them during a term (except for maybe speed). In fact, the record actually belongs to FDR (who had 4 terms, also WW2, so that might be a part of everything).
In an emergency, I can understand their use, but outside of that, we (everyone, including the President) should trust in the slow plodding of our system. It may not be perfect or work out perfectly every time, but its lack of speed gives us time to reflect and make better decisions, IMHO.
Voting in Canada, the ballots are paper, then you carry it over to a person who puts it face down into what looks like a flatbed scanner and hands it back to you, and you put it into a box.
I am assuming they count electronically, still maintain secrecy, and have a paper trail that can be manually counted if needed.
Assuming that we can achieve exactly equal security to paper voting for a moment, what have we achieved other than adding another few layers of middlemen and cost?
Arguably you could only count the paper ballots in case of litigation, otherwise you'd just use the result of the machine. Sounds like a decent compromise.
That being said here in France polling stations manage to count the ballots in a couple of hours at most after closing, so I'm not sure if it's really worth it.
The US moved to electronic voting in part due to the Florida vote counting fiascos in 2000. Electronic voting machines prevent users from making undervotes and overvotes (picking no candidates, picking more than one candidate). The machines also prevent the hanging chad issue in 2000 where the voters intention was unclear. Electronic voting machines also enable blind voters to cast votes without assistance giving them privacy and assurance that their vote wasn't tampered with. Paper voting can also have it's own security weaknesses like ballot stuffing.
> what have we achieved other than adding another few layers of middlemen and cost?
and uncertainty. In principle the idea of hitting a button and having the non-networked machine spit out a paper trail that can be electronically counted sounds like a good compromise. But this leaves 1 or potentially 2 sources of uncertainty that are not necessary: (1) that what the machine prints actually corresponds to what you wanted and (2) that the counting machine actually counts what it says on the paper.
(1) is not such a risk if you can verify it visually before submitting. There do exist I believe some ideas in cryptography to allow you carry a record of your vote that allows you to verify it without revealing the choice, these could have interesting application here, but I don't know the pros and cons.
(2) is even a risk in the non-machine case, although it can be mitigated by having multiple independent parties do the count. But it can't easily be done by machine and have the same level of certainty.
There's a fundamental issue in voting, which is that ballot markings may not have a consistent meaning from voter to voter. Most analysis of voting methods ignore this and it's impacts, which are difficult to quantify, but it's pretty clear the effect is maximized in two cases:
(1) systems which limit rankings to a fixed number (the most extreme case for real ballot methods being two) of ranks (approval and FPTP both are two-ranks methods), and
(2) system which use numerical ranking systems that draw fiber distinctions than mere ordinal ranking (range/score voting being the main example.)
The problem is minimized in ranked-ballots methods, though there is room for debate over whether forced or unforced rankings are better in this regard.
For this reason, I would reject range voting for most public elections independent of practical difficulty (there might be exceptional cases where a consistent meaning can be attached to range ballots, but it's not the case in normal public elections.)
OTOH, ranked ballots Condorcet methods which need to compare pairwise results are probably more tractable with e-voting (or, rather, e-tallying.)
Believe me, its advocates have heard every criticism you can imagine, and the counter-argument is robust. I recommend you check out the book "Gaming the Vote".
The paper trail would be used for post-election verification. A nonpartisan body randomly selects several districts in the state every election and audits the paper record versus the electronic record. If there is a discrepancy, then an investigation is started and all of the records are verified.
This gets you the speed and ADA compliance of the machines, but the reliability of paper.
This commission also helps to insure that there was no funny business at the aggregation center.
I think "non-partisan" is just code for "not partisan yet". The parties get huge sway in shaping the voting district, why would this body be different? Could it stay different going forward and different parties attack it for different reasons?
Actually this could work. Defcon this year was at Caesar's palace and despite a voting machine, a couple cars, multiple IoT devices, an electric scooter, and the Beijing Noodle's menu being pwned, nobody managed (dared?) to fuck with any one of the thousands of electronic slot machines.
People do do that; this is pretty well known. But they tend to view it more in the vein of "trade secrets" than "I'm going to demo this to everyone for free".
Totally agree with you, I do not understand this need to go digital. Voting has worked and works really well with paper, it's a process anyone can audit, even non-technical people. Sure it might take a day, and a bunch of money, but so what? Our democracy heavily relies on this process.
Even if the machines were open source you'd have to personally inspect it to make sure it's actually running what it's supposed to be running. Unless you're reading to bring an electron microscope to the polling booth it doesn't seem particularly practical.
It would make more sense to check whether your vote was counted post-facto but it's hard to especially if you still want to make it difficult to figure out who voted for whom. There are a few mathematical possibilities but they don't seem particularly practical to me: https://www.youtube.com/watch?v=BYRTvoZ3Rho
So for the time being paper ballots are probably the way to go.
Gives you a paper result that you can verify, and leave there for manual recounts as needed. Checksums and verified hardware. This is not insurmountable.
You vote, confirm the receipt says the right thing, and stuff it in a box. Verified hardware is a solved problem. Given that it'd have no idea of the candidates, there's no way to program it ahead of time to favor a candidate without being caught.
We already have election officials watching each other. This needn't be more complicated than a late 70s calculator. It can even be so simple it doesn't know the candidates names or party affiliations.
Well, in theory... In reality, it will be a black box, connected to any open wireless, and made by the company who donated the most. But, in theory, it'd not be too hard to make a fairly dumb device that provides verification. It only has to count and print.
>Gives you a paper result that you can verify, and leave there for manual recounts as needed.
That's fair. I guess you could also force a recount for a random portion of the polling stations to detect anything fishy. I'm not sure if it'd be really worth it though, would it be such a massive improvement over simply counting paper ballots directly?
>Checksums and verified hardware.
Nah, that won't work. Who checks that? Who makes sure nobody tampers with the hardware after it's been verified? How can you even verify a piece of hardware, it could tell you it's running code X when really it runs code Y, no amount of checksumming will help. You could easily backdoor a processor to run a special ROM instead of the official one. Good luck detecting that.
Are we supposed to send electronic engineers at every poling station to check for any tampering with the hardware? How about people making copies of the chips that look exactly the same from the outside but are backdoored? You can't just trust whatever is printed on the package.
So what do you do? Take a random sample of machines during every election and decap all the chips to look for something abnormal?
IMO it's just too much hassle for very little benefit.
Take a random sample of machines and compare a number of pretend-votes to the outcome. But if cars change their behavior based on detecting a test environment, how would you trust a voting machine to not do something similar?
In the end a trusted minor miscount would be less bad than a count that is widely untrusted despite being correct: one would mean living through a "what if some people would have cast a different vote" alternative reality, the other would be a full blown legitimacy crisis, with unconstrained cheating in the next election as the least bad of all possible outcome.
If there's a discrepancy, you count the paper receipts. You can order a million simple chips for like $0.03. They chip vendor isn't going to know who is running for dog catcher in 2018. You test a random sample to ensure they can count. You use simple code that is open source and write it to the memory exactly once and blow the fuse to prevent tampering.
We can put people in space. Verified hardware and software is a solved problem. Well, assuming you don't make it absurdly complicated. All it needs to do is eliminate manual counting - while providing a paper printout should someone need a recount.
You don't even need special tokens to make sure the person in the booth is only voting once. You can be as simple as making it flash an LED to be monitored by the election officials. They have volunteers from the various parties already there watching. Watching a light may even be easier.
It doesn't need to be complicated. It need only be a glorified abacus.
Did you reply to the wrong person? My comment was about one simple thing: It should NOT be possible to prove to anyone else who you voted for. Your reply doesn't seem to address that.
Separate from that, what does using millions of one-use physically collected chips buy you that just writing to a paper ballot doesn't?
You put your printout in the box, as I said above. It prints it out, you put it into the box after confirming it says you voted for who you said you voted for.
You buy millions of chips so that we never have to go through this again. This way, the validated code and hardware don't have to be worried about, for a long time. The chips go in the machine, they run it. You'll have spares for a very long time.
What does this do? When the polls close, they don't have to count them. They need only count if there's a demand to do so, like a recount today. That's it. Problem solved.
Oh, so you're in favor of electronic voting for instant results plus a write-only auditable paper trail. That's what I favor too. I didn't quite understand what you were getting at the first time; sorry about that.
In Oregon we're 100% mail-in paper ballots. I've come around to this idea too, especially after seeing some of the processing operations. Bulk counting in managed/secure facilities, along with secure storage of archival votes, seems like the way to go.
This does away with one of the key characteristics of the vote, not being able to demonstrate to someone else who you voted for. This makes it easy to coerce/buy votes in Oregon. If you don't want this property in your voting system (and you definitely should) doing Internet voting can actually be a safer solution in plenty of ways although it's still extremely tricky to implement properly. And I'm strongly against any form of electronic voting.
Oregon does 100% mail-in. In most other places it's only used by a very small proportion of the population if it exists at all. But yes, any time you enable mail-in you've thrown away a big guarantee of a voting system.
Do you know how they protect votes against being destroyed, either on the way or by an insider, and allow enough transparency to verify this hasn't happened?
In general, the way to avoid this problem is for everyone to be vigilant and work together to keep the process fair. Blow the whistle if you see anything shady going on. To make a big change to the results, you need a big conspiracy, and the bigger the conspiracy the easier it is to spot.
When the process is simple and low-tech, like pen and paper ballots, it's possible for all ordinary people to contribute to keeping the process fair.
With electronic voting, you just have to trust the manufacturers and the voting officials. Everybody else is out of the loop.
It does not take long to aggregate votes using paper ballots. I was counting paper ballots in a national election, and we were done before 11 PM the same day.
There are normally multiple observers from all parties, plus election officials, that scrutinize the counting process in real-time. Disputes are raised and resolved on the spot where possible, and it not are normally escalated. This is why elections can have provisional results on the same day/night, and the official results are a few days later.
I thought it was obvious the speed is essentially irrelevant to the democratic process in the context of minutes to count.
The extent of the competition over seconds and minutes here is bound to lead to some mistkaes, and I would question whether the checks are sufficient (the checks themselves may also be susceptible to mistkaes). The word "childish" comes to mind. We are talking about the future of the country and it's treated like a TV reality/quiz show.
Ballots are split in batches. Each ballot in a batch is counted twice, by two different people, and results are then compared. If the counts don't match, the batch is recounted.
That seems very odd. Can you actually do that? Around here the polling location must first ensure that the number of votes cast matches the number of votes recorded during voting, only after that can they open the urns and start tallying.
>Electronic banking comes with many types of federal guarantees to protect against fraud. The government can step in to investigate and prosecute the fraud as well. But there is no such guarantee for the voting to select the government itself!
That's only because the government hasn't bothered to invest in electronic voting security, regulations, and rigor to the extend that they invested in fraud protection and financial regulations. I'm willing to be that if the government cared more about modernizing, securing, and distributing our voting systems, we'd see improvement on the level of electronic banking and finance.
Not that I expect this to happen anytime soon. For various reasons, voting rights and opportunities in the US are steadily declining and don't seem to be taken seriously. You can fill in the blanks yourself there.
We already have the reverse and it works better. You fill out a paper ballot. You feed the ballot into an optical tallying machine. The tallying machine is just an efficiency measure. The paper ballot is the record of the vote. It can be audited statistically and/or manually.
I'm going to disagree that that is a clear win over my idea.
There are definitely issues with printing paper ballots (low toner, running out of supplies at polling locations, handling cases where the voter discovers an error after printing &c.), but similarly there are problems with optical tallying machines (e.g. hanging chads, incompletely filled in bubbles).
Optical machines do not have chads. Those are "punch card" machines. The low toner comment doesn't make any sense. The ballots are printed BEFORE the election. If you get a ballot that you can't read, you can return it to the pollster, they will mark the ballot as "unusable" and give you another. I know this because I've done this when I accidentally filled in the wrong circle. It's SOP.
Incompletely filled-in bubbles is a real problem, true, but in my experience I've never seen this.
Electronic voting is dangerous and is a very bad idea. Voting should be done on paper, using pencils, put into ballot boxes, and counted by people.
Paper works, and it works well. It's a system that has worked well enough for thousands of years, and we have figured out most of the issues with it during that time. Anyone that can count can validate a single precinct. You can have one person, or 100 people all standing there watching a ballot box all day for tampering. You can have a whole group of people count the results, or just a few.
In a traditional paper system, swaying a single precinct with "blackhat" methods takes a lot of physical resources, a lot of time, and in most cases a lot of people. Then multiply that by every precinct in the country, and it quickly becomes pretty much impossible to do and get away with. Plus it leaves a physical "paper trail" (in the form of payment for people, communications, and physical materials or the receipts for those materials).
Electronic voting gives us very few benefits, and a significant amount of downsides. And it doesn't matter if it's FOSS, it doesn't matter if it's vetted, it doesn't matter what safeguards are put in place, all it takes is one mistake. One fuckup, and someone can now choose the leader of a nation, and in some cases that leader can change the rules of the next election, meaning it only takes one single mistake to ruin it for many many generations in the future.
And replacing a system where literally everyone can validate a system on voting day if they want to with a system where only a fraction of a fraction of people can even read and understand the code, let alone validate the code (and can't actually validate the hardware, or make sure what is running on the hardware is actually that code, or make sure that the hardware is even what it says it is), and it takes a magnitude more time to do so, just isn't a good idea.
> The use of pencils does not in itself increase the likelihood of electoral
fraud: while pencil marks can be rubbed out, similarly, pen marks can be
crossed out. What is key is that the integrity of the process from the
point that a voter marks their ballot paper to the declaration of the
result is maintained.
Anecdotally, I've head people make the argument that pencils are more reliable than pens (mechanical failure etc.), that pens can be liable to smudging (especially if folded immediately after marking), and that the pencils they use are difficult (though not impossible) to rub out.
No reason why it needs to be pencils specifically, just that they are the simplest, and simple is better. I was more trying to speak to the idea that a person is making the mark themselves without any other "machinery" or anything.
I've seen complicated mechanical hole punching machines that can break down, or machines that generate a cast ballot that is placed in a box that you can't be sure cast the vote correctly. That's the kind of stuff I'm talking about avoiding when I say "using pencils".
Plus once your vote is put in the box, it doesn't matter if the ballot itself can be tampered with, as there should be multiple people watching that box until counted. So pen or pencil makes no difference. Erasable or otherwise doesn't matter. It can even just be a hole you poke in a box using the pencil. The important part is that nobody can touch it till it's counted in front of a bunch of people who all don't trust one another.
You could just have pre-printed ballots with the name of the person you're voting for on them. That's how we do it in France, no pen or pencil required.
I think in the USA there tends to be several issues on the ballots however, so I guess it's not very practical in that case. It probably makes the counting harder however.
> You could just have pre-printed ballots with the name of the person you're voting for on them.
Imagine a ballot (or something) that had the pre-printed names on them something like those paper "call me for xyz" things you see on bulletin boards everywhere (or well you used to)?
Basically the names would be on pieces of paper (maybe with a QR code?) about the size of what you get in a fortune cookie, that can be tore off the "ballot" and dropped in a box for later counting. With a QR code (or something similar), the counting could even be done with a machine.
Such a paper ballot could arguably have many names attached (here in the US we have so many positions and votes to cast on so many things it's mind boggling, especially during certain election times). I'm not sure if or how well it would work, but I think it might be doable - at least enough to attempt.
In the Swedish voting system, there is one ballot per party, and you put the ballot for the party you are voting for into an envelope and put that envelope into the ballot box.
You only need a pen/pencil if you want to change the parties default ranking of their candidates (e.g. who in the party you want to see as prime minister) or you want to vote for a minor party which doesn't have ballots (write-in votes)
[I'm not endorsing the Swedish system just explaining how it works]
Same in norway. One ballot per party. In local elections we vote for both council and municipality, so there's two sets of ballots. Council ballot goes in one box and municipality ballot goes in another box. No reason why we couldn't have 20 boxes if we also voted for issues directly.
Also in local elections we can write in other people and give people on the ballot an "extra" vote for which we use a pen (but this is voluntary and I assume most don't bother).
I mean your not wrong. But the attack you are suggesting in mentioning the possibility of erasing and rewriting submitted votes is still avoided by general prevention of any ballot box tampering.
> Voting should be done on paper, using pencils, put into ballot boxes, and counted by people.
I'd go further and say that for such a manual system, the counting should be done as speedily as humanly possible, but that if it takes a few days to do it - then so be it.
I don't think this is one area that should be rushed, and I don't understand why so many people - including people who should know better - thinks it should be.
The Chaos Computer Club did some extensive educational work a couple years back to make sure we keep our paper ballots here in Germany. And this work keeps going to this day. I'm very greateful, seeing all the issues we are avoiding because of this, but the fight against misinformed or malicious politicians is still going on.
A very important factor in their work was making sure people called them "voting computers" instead of "voting machines". Most people have a sense by now that computers are hackable and insecure, if only through movies where hackers can hack every system. Calling them machines gives people the sense they are a unhackable mechanical appliances.
Voting in Germany is very efficient anyway as votes are usually counted within 1-3 hours and a final result overnight. It's hard to see the advantage of computers, buying the machines will likely outweigh paper costs.
That's a bit different in other countries where counting paper ballots can take days. Doesn't make voting machines safer, though.
>That's a bit different in other countries where counting paper ballots can take days.
Seems to me the solution is to figure out what makes german voting and vote counting so efficient and replicate that, rather than switching to voting computers.
If there's a flaw in the system -- and there will be flaws, the only question is how soon they're found -- there's a risk that the whole thing can be compromised in one fell swoop.
Whereas pen and paper voting, counted by hand, is slower and less accurate and has plenty of its own flaws, but there's no simple way to compromise the entire vote at once. You'd have to fool a whole bunch of different people in different ways, and/or recruit them into a huge conspiracy.
Other countries use pen and paper and it works fine. Electronic voting machines should be banned.
After more than a decade of security researchers raising the alarm over critical electronic voting machine vulnerability, I hope this finally causes some real demand for verifiable ballots.
No one really claims that the voting machines were secure because it was technically advanced. The voting system is secure because it is irregular and physically distributed and not connected.
In other words. Hacking the election is up there with the us planned 9/11 it would require social engineering of unheard proportions.
In a close election it's potentially feasible to flip an election by hacking the machines in
a few hundred precincts across 2 or 3 states. Still unlikey but potentially feasible given a determined, well funded adversary.
And you wouldn't have to actually flip the election to undermine it's legitimacy.
>In other words. Hacking the election is up there with the us planned 9/11
9/11 happened, so someone planned it. Very few people are worried about the US government hacking voting precincts. They're worried about a foreign government doing it.
If an election were flipped in such a way, it would be noticeable because the candidate would lose the popular vote (since the popular vote is a robust statistic and can't be flipped without a large number of hacked machines) but would somehow happen to win by a very narrow margin in a few critical swing states.
(Of course the same is true of any other campaign technique, legitimate or illegitimate, that relies on targeting specific precincts.)
> If an election were flipped in such a way, it would be noticeable because the candidate would lose the popular vote (since the popular vote is a robust statistic and can't be flipped without a large number of hacked machines) but would somehow happen to win by a very narrow margin in a few critical swing states.
sooo exactly what happened this election, roughly?
In case it wasn't, in the last election the candidate that won lost the popular vote by about 3 million votes. But won 3 critical swing states by about 80k votes total.
There was no widespread auditing of the voting machine code after this happened.
Hacking the machines in a few hundred precincts is impossible and not more possible today than it was 10 or 20 years ago.
9/11 happened because someone outside the government planned it and it didn't need that many to work. If the US government was behind it the way the conspiracy theories are told, it would have had to involve tens of thousands of people. Hacking the election to be anything meaningful would require exactly the same thing.
Again, if an election is close you can flip it with less than 100k votes. And even if you don't flip it, you can cast doubt on it's legitimacy if you leak some information showing what you did.
The machines are generally stored in centralized locations that aren't particularly secure.
If there are exploits that can be ran from a USB drive, one break in and you could hack machines that will be used by tens of thousands of voters.
You could potentially pay off a security guard to let a few people in or just pay someone has access to the stored machines to do it for you.
The CIA could definitely pull this off in another country, not sure why you think a foreign government couldn't do it here.
We managed to load stuxnet onto airgapped embedded computers in a high security nuclear facility. Voting machines are easy compared to that.
I have no idea why you think you need tens of thousands of people to install an exploit on a few thousand centrally stored computers, built and maintained by a few companies.
You make it sound like those hacker movies where the bad guys have free access to networks and no security protocol around this.
Voting machines in the us isn't easy compared to that at all. Irans security protocols are easy.
As long as there is a paper trail you can't just hack the US election EVEN if you got into hacking the machine which is extremely unlikely. Unless you convinced thousands of people to be in on your scheme. It won't happen.
>You make it sound like those hacker movies where the bad guys have free access to networks and no security protocol around this. Voting machines in the us isn't easy compared to that at all. Irans security protocols are easy.
I'm sorry, but you have no idea what you're talking about.
>As long as there is a paper trail you can't just hack the US election
What paper trails? There is no paper backup for many of state's election machines, that's the problem.
I don't understand what makes you think some massive conspiracy would be required. With a remote exploit you wouldn't need many conspirators at all. And plenty of elections are stolen each year the old-fashioned way with a massive number of conspirators, and ... it works.
You sure about that? Most of them have WiFi cards in them; they're connected to something, that is likely reachable from the net.
You can also imagine a single person compromising the firmware to be used in the next election to randomly flip enough votes over to a specific side to cause a win. This could be done by either an insider, or an outsider that has managed to hack the voting machine company's network.
> 9/11 happened because someone outside the government planned it and it didn't need that many to work. If the US government was behind it the way the conspiracy theories are told, it would have had to involve tens of thousands of people.
Would it?
First off - I don't believe the evidence supports the US government doing it. I'm not saying there aren't any unanswered or uninvestigated questions, only that the evidence we do have and has been investigated doesn't support it being an "inside job". That said...
Why couldn't Bin Laden have been supplied money and plans via say the CIA or something? Obviously covertly, in such a manner that Bin Laden wasn't aware that this was being done on the behest of the CIA. If the money and such were coming from some black-ops line item in the budget, and things were kept extremely tight inside the government agency and abroad, I honestly don't think 10000+ people would be in the know, or need to be used. It could probably be done with fewer than 100 people, and if those 100 people were dedicated enough, they would likely all keep mum about it, especially if the plan succeeded.
Basically, I'm postulating on the fictional idea that there could be a group of people, high up in a government or other quasi-government agency, who are (in effect) led and acting on a hardcore fundamentalist belief system that says that (for whatever reason) the US needs to experience this attack and for it to happen in such a manner to change things. Essentially, an inside rogue terrorist cell. Perhaps it was built up over the decades since the Reagan years (or even further back), with the idea that once large enough, the plan would be carried out in such a way to not implicate them, and ultimately install their guy at the top. Kinda a slow-mo coup or something, with the attack being the illegal precursor to the takeover via legal means (because of terror and fear pushing people to vote in a much different manner - perhaps manipulated as well).
Probable? Not likely, outside of Tom Clancy novel. Possible? Well - perhaps. We've learned of stranger things in history, long after the events have passed.
Ultimately, there's no evidence for any of this being the case, and it's just a fictional possibility. But I don't think it is something that would require 10000+ people to pull off; that's only necessary if the group doing the work needs it done "now" - and isn't willing to wait decades for the final shoe to drop.
You don't need to get access to a lot of machines. Because the chain is long and obscure, there's no way to be verifiable, and even if there was that chain would require specialist infallible programmers to ensure nothing has been tampered with.
I'm not sure how you can argue that obscurity is a strong method of security when one machine in the country could be compromised, or the counting method code could be compromised, or the programmer verifying the code could be compromised, or the distribution system of voting machines could be compromised, or any part inside the voting machines could be compromised (e.g. the touch interface), or the voting machine remains secure during the voting period (i.e. voters are tampering with it on poll day).
If the machines aren't connected of course you need access to a lot of machines to have any effect on an election.
All machines are hackable all systems are hackable. But focusing on the box showing you can hack that changes absolutely nothing about the overall threat of the US election being hacked. No one with serious technical understanding would claim that it was impossible to hack the boxes. And so you are back to a much harder task which is the social engineering part of convincing thousands of people to betray their country and no one finding out.
To alter the results in a cheaper way than with traditional vote stuffing methods, as recently observed in the Turkish national referendum. https://arxiv.org/abs/1706.09839
I'm for both. Aka you submit your ballot on paper. Have a machine and people both count the vote. If the machine count has a different outcome vs people then you know you've got an issue.
By outcome I mean something like machine had person A winning, people count has person B.
We do something similar in Spain. We vote with paper ballots. Then, when polls close, the volunteers at each table count the ballots and input the data into an electronic system, which makes the aggregates. In a few hours (4-5) we have the results of the election.
However, paper ballots are returned to the voting urns and sealed. The sealed urns are then sent to a few centralized counting locations where they are manually counted again by civil servants during the corse of a few weeks. (Party representatives can witness both countings).
Usually there are some very very small differences between the first and the second counting, but I don't recall even a seat changing because of them. This has the advantage of being both fast and safe.
In my country a losing presidential candidate has been able to convince part of his base that there was electronic fraud using an 'algorithm' even though the whole process was done manually. Imagine if it was really done electronically. That is why I am convinced voting should be done with paper and pencils.
Are optical scan ballots really "paper ballots"? It seems to me that in all the relevant criteria, this is just electronic voting with a different input method.
Optical ballots provide a verifiable trail that can be used to audit the electronic counting machines. Seems that whatever system we use could benefit from some randomly selected mandatory audits/recounts at every level.
Yes, they are paper ballots. The "machine" is a pen and the ballot and the official record of the vote is the paper ballots, the electronic tally is just for convenience.
So for example, if the machine in a precinct catches fire and explodes, the vote proceeds, except the ballots are placed in a box. If the numbers reported by the machine are nonsensical, the machine is set aside and the ballots are counted manually. If there is a recount, the ballots are counted manually.
> If the numbers reported by the machine are nonsensical
The problem is that this is not a sufficient criteria for detection. Presumably a hacked machine would spit out "sensical" counts that are biased to one side, not 99% for one party or something like that. How would you detect that by just looking at a simple sum?
I can't really see how to verify the count without having everyone check that the machine printed what they thought, and having multiple people perform independent counts that must match.
You could have people count later and check that the machine got it right, but then consider the problems that would cause if the media was reporting bad numbers before the official count is finished.
> It is certainly the case that trust in such machines could be misplaced.
Right but if that's the case, you're going to have to count them by hand at some point. So what do the machines bring to the table, if their whole purpose is to avoid that?
You usually only need to hand count a small number of randomly selected votes to verify the result statistically. The exception being very close results where a handful of votes makes the difference.
Well, in addition to (just) hacking all the machines, you'd have to tamper with a sufficient number of exit polls to limit recounts (and the waves of subsequent recounts that would follow widespread evidence of tampering).
I don't get why. Counting ballots is so easy. Fraud can easily be prevented (open process that everyone can attend, group of people who have to agree on the result, re-counting by officials of results that are outliers and of some random samples, etc). Plus it's cheap. I find it hard to belief that these systems can be cheaper than a few people working for $10/hr. Counting a few thousand votes can easily be done in 2-3 hours by 3 people (by my own experience).
I like paper voting but there should be a holiday and the vote should be mandatory even if only to check off "none of the above." The reason I like electronic despite its flaws is someone can do it while on the toilet, and here in the US where there is low turnout and voter suppression, that's about where I want the bar to be.
I'm old enough to remember the when e-voting was brought about by the Bush administration. At the time those of us on the far left were convinced that Bush was the American incarnation of Hitler (seems quaint now, doesn't it) and Diebold e-voting machines were going to precipitate the end of democracy.
What if we've gotten into some kind of weird feedback loop where every swing of the pendulum between the two parties has been leading to more and more "extreme" candidates on each side?
Or what if the extremism is only on one side, because they perceive the other side as being too extreme, when that side is just trying to be for the people?
I'll leave you to decided which side is which, of course...and where all this might lead (it ain't pretty, should this actually be what is playing out).
this just re-stresses the point to COMPETITION in the electronic voting space. If you had a monopoly over the systems, what encouragement would you have to upgrade them? There are all sorts of ways to innovate "e-voting", and all of them are objectively improved over the current US methods
Yap, let's introduce the "invisible hand of the free market" into the voting system. As we have all experienced, that always leads to the safest and most ethical outcome.
What are some of the benefits of e-voting that make up for the possible shortcomings?
From my perspective, e-voting is more difficult for the blind/disabled, more difficult to audit and check (you'd need to be a programmer that is well versed in cryptography to even begin to audit a codebase), much harder to verify/validate your own vote was even cast, much less reliable, and overall is confusing and harder to use.
The only benefit I can see is making it easier to vote for those working or who aren't able to get to a precinct. But that's a problem I'd much rather have solved by making it a mandatory holiday and providing state-paid-for transportation on election days.
Every time this comes up, it seems to me that the obvious answer is that we should get rid of the secret ballot. If everyone's vote is public then everyone can check that their own vote was counted correctly. I know the argument is that people may face pressure at home and be afraid to vote, but is there anyone left who doesn't tell everyone how they voted? Maybe I'm living in a bubble, but I know exactly who all of my friends, and family voted for, none of them ever tried to keep it a secret.
Secret voting became a thing because people were facing harassment, termination from their jobs, and violence when they voted "incorrectly". It's naive to think these problems won't return immediately if votes become public.
Not only is secret voting an integral part of a democratic voting system, it is also entirely possible to implement a system where everyone can check their own vote while keeping their vote secret. Each registrant can simply be given a unique string that is connected with their vote.
Having the ability to verify your own vote is still dangerous.
There's a fine line between "can be verified by the government at any time who you voted for" and "can be forced to show proof of who you voted for" or even "if you don't publicly show your proof of who you voted for, you are on a list". not to mention the ability to "sell" your vote to whoever and have proof that you followed through.
In a truly "secret ballot" voting system, you should be incapable of proving who you voted for. You can still tell others who you voted for, but there shouldn't be any "proof".
I'm perfectly fine with being able to prove your vote was cast (I'd actually prefer if you were required by law to vote. You can make a vote of "nobody", but you'd need to vote), but that is very different from being able to verify who you voted for.
But even still paper ballots where you check off a square and put it in a box can give the same assurances as that complicated Scantegrity system as long as you stick around and watch the ballot box yourself till it's counted. yes, it's a day of time, but it's something you or literally anyone else can do regardless of age, gender, ethnicity, social status, education, or anything else.
* The ballot gets mixed in with others
* the bundle gets divided up (A cards go in 1 bundle, B cards go another)
* taken to a vote counting location;
* each bundle is then divide between ballot counting machines.
The whole point is that an individual ballot becomes untraceable before the counting actually starts.
When you're casting a vote on paper, it's pretty easy to check that your vote is not being observed.
When you're casting an electronic vote, you have no such option. You can claim the vote is secret. The developers of the voting machine can claim the vote is secret. But the voter has no way to verify this.
Secret voting is too important to be left to voting machines.
> When you're casting a vote on paper, it's pretty easy to check that your vote is not being observed.
One thing I've been thinking about lately, is that while we all probably have better intuition for "protecting" our paper vote, I'm not convinced that the huge advances in monitoring technology, covert and generally available, hasn't to an extent invalidated this somewhat.
You really only need to be able to read some markings on paper (in IR, via some kind of fairly low resolution x-ray, what have you) - with the voter (eg: general camera surveillance showing a person entering a voting booth) - in order to monitor a vote. It's certainly much higher demand on manpower to do it, but I don't think it should be discounted - the payoff will be proportional to the power wielded by the public office being elected for.
So while I think "lets do electronic voting!" is a crazy blanked-statement to make in order to improve security, I don't think we should be so certain analog voting is as secure today, as it was in the 80s and earlier.
The unique string would enable coercion (you come back from the polls with the string that says you voted X or else your mother gets it!) and vote selling (you come back from the polls with the string that says you voted X and this wad of dough is yours).
No it's not possible. If you provide any way for an individual to verify their own vote, then they can be coerced to provide the same proof to someone else.
In this case the coercer would just force the voter to give them their string after they vote. Now they could theoretically lie, but they'd have to be able to give a valid string that matches the preferred vote of the coercer, and that no one else has already given them. This is sufficiently hard to arrange that at least some people will not be able to do so.
That doesn't solve any of the problems that public voting records creates. You can't keep your vote secret if you can access it later. Someone can steal your secret identifier or they can coerce you to give it up.
We have these "receipts" with a code that matches the one on the ballot on the paper ballots in SF, though I've never actually tried to check it anywhere.
> is there anyone left who doesn't tell everyone how they voted?
Of course; there are people who live with family members who are very vocal about The Right Way To Vote; there are people who live in parts of the country that are the same way; and there are people who work for employers who they don't see eye-to-eye with politically.
Imagine living in a devout Catholic household, and voting for a pro-abortion candidate. Or working for a gas fracking company, where every other employee has a gun rack on their truck, and voting for the gun-control candidate.
What if some of them kept it a secret by misrepresenting things to you?
With secret ballots, you have no way to verify whether this is the case.
There's also things like not worrying about disclosing it to you but keeping it private from, say, a manager or employer.
And on and on. Saying something like it wouldn't bother me and mine any is sort of a weak argument for things that will apply to everyone, because there are lots of people with lots of different circumstances.
We trust billions of dollars every day to electronic banking, so why not a vote? Electronic banking comes with many types of federal guarantees to protect against fraud. The government can step in to investigate and prosecute the fraud as well. But there is no such guarantee for the voting to select the government itself!
But it takes so long to aggregate the votes if done with paper ballots. Precisely the point. Electronic voting allows scalable attacks where the number of weak points is dramatically reduced. It is very hard to scale attacks on paper ballots. You would need a coordinated effort in many voting stations to make it work as opposed to hacking a more central electronic system.
That is why I moved from thinking that electronic voting is the logical next step to thinking that we probably need to revert back to paper ballots.